Some vehicles are paired with key fobs. The key fobs are configured to transmit encrypted commands (e.g., lock, unlock, start) to the vehicles. Recently, however, thieves (also known as roll jammers) have developed a roll jamming attack to unlock vehicles. As described below with reference to FIG. 8, the roll jamming attack generally involves the thief or roll jammer intercepting and storing a valid unlock command. The thief or roll jammer subsequently transmits the valid unlock command at a later time.
As shown in FIG. 8, a known key fob 10 is configured to communicate with a known vehicle 20. The communication may cause the vehicle 20 to unlock. Key fob 10 appends a greater rolling code to each wireless message. Vehicle 20 stores a rolling code base. Vehicle 20 authenticates a wireless message when the rolling code of the wireless message is greater than the rolling code base. Upon accepting a wireless message, vehicle 20 updates the rolling code base to match the rolling code in the wireless message.
For example, imagine that the rolling code base of vehicle 20 is ten. A user presses an unlock button on the key fob 10. The key fob 10 appends a rolling code of eleven to the message. The message, however does not arrive at vehicle 20 (e.g., the key fob 10 is too far from vehicle 20 and the message attenuates). The user notices that the vehicle has not unlocked presses the unlock button on the key fob 10 for a second time. The key fob 10 now appends a rolling code of twelve to the message. The vehicle receives the message and compares the rolling code of the message (twelve) to the rolling code base (ten). The vehicle unlocks and updates the rolling code base from ten to twelve.
FIG. 8 is a schematic of a roll jammer (also called “rolljam”) attack. The roll jammer attack is designed to give an unauthorized third party, the roll jammer 30, access to the vehicle 20 by storing and then re-transmitting a valid wireless signal with a valid rolling code.
Key fob 10 transmits a valid wireless message 451 (i.e., a message with a rolling code greater than the rolling code base of the vehicle 20). The roller jammer 30 intercepts the wireless message 451, records the wireless message 451, and jams the wireless message with a first signal jam 457a so that the vehicle 20 does not receive the wireless message 451.
The user notices that the vehicle 20 has not performed the command 401b associated with the wireless message 451. The user causes the key fob 10 to generate a second wireless message 452. Again, the roller jammer 30 intercepts the second wireless message 452, records the second wireless message 452, and jams the second wireless message with a second signal jam 457b so that the vehicle 20 does not receive the second wireless message 452.
Shortly thereafter, the roll jammer 30 transmits the stored first wireless message 451 to the vehicle 20. Since the first wireless message 451 is still valid (i.e., includes a valid rolling code), the vehicle 20 authenticates the message at block 453 and performs the command associated with the message at block 454. This action could be unlocking the vehicle doors. The user incorrectly assumes that the second wireless message 452 transmitted from the key fob 203 caused the vehicle to perform the command 401b. 
The roll jammer 30 now possesses a copy of the second wireless message 452. The second wireless message 452 is valid because it includes a rolling code 401c greater than the rolling code 401c of the first wireless message 451. At a later time (e.g., a few hours later), the roll jammer 30 transmits the second wireless message 452 to the vehicle 20. The vehicle 20 authenticates the second wireless message 452 at block 455 and performs the command 401b associated with the second wireless message, such as unlocking the vehicle doors at block 456.
A solution is needed to defeat or impair the rolljam attack.